In response to a 60-day White House review last year of the nation’s cybersecurity infrastructure, the American National Standards Institute (ANSI) and the Internet Security Alliance authored a 76-page guide which addresses the needs of organizations in a data-breach heavy world.

A nice summary article can be found at NextGov (thanks to Jake K at DataLossDB for that tip). According to the article, the White House review found that “quantifying the value of protection motivates organizations to address vulnerabilities.” And when it comes to crunching numbers, especially with dollar signs attached, the CFO is typically front and center. The message of the guide is clear and very well underscores the growing realization, worldwide, that data security is actually not “an IT issue.”

In many organizations–in fact in most organizations–the security of data is referred to the “IT department.” It is true that IT tends to be the proper group to actually implement protections. But what tends to happen, before solutions can even be discussed or pursued, is called the brick wall of “funding” or “budgetary appropriations.” Quite simply, IT isn’t given the money or the clout to really deal with “data security” and, lacking the leadership and key sponsorship of the CFO, it fizzles. A few steps may be taken but, far and away, the priorities fall elsewhere.

Back to the guide, or “handbook,” the cost estimates included are helpful to make the point that this is indeed a business-wide decision. Here’s an excerpt from the NextGov article:

The publication estimates a data breach of 10,000 records containing personal identification information would cost about $1.6 million, assuming the company carried breach insurance with an 80 percent coverage of direct costs. That sum includes direct expenses for investigations and forensics, consulting services, notification of affected individuals, public relations, legal defense, and credit and identity monitoring — as well as the indirect cost of lost business. The handbook cites several analytical models to help chiefs assess costs and benefits.

Steps to bolster protection also include learning to view digital safety as a business strategy rather than as an operational responsibility and leading a cyber risk team of appropriate subordinates organizationwide. This team should meet in person, if possible, the publication notes. Face-to-face interactions can prevent the confusion that often occurs when separate business units speak in jargon.

Very helpful, indeed, as even the “geek speak” of the day can cause crucial issues to be lost in translation. The news headlines are packed with examples of what happens when these issues aren’t solved in time.